From db815c4a3b4f143077a90faa49a95bde17950a32 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Sat, 22 Jul 2017 18:26:23 +0100 Subject: [PATCH] Update to 4.12.3 --- debian/changelog | 12 +- ...elf-use-elf_et_dyn_base-only-for-pie.patch | 167 ------------------ ...types.h-for-genksyms-to-generate-crc.patch | 47 ----- ...efile.build-requires-line-break-betw.patch | 92 ---------- debian/patches/series | 3 - 5 files changed, 8 insertions(+), 313 deletions(-) delete mode 100644 debian/patches/bugfix/all/binfmt_elf-use-elf_et_dyn_base-only-for-pie.patch delete mode 100644 debian/patches/bugfix/sparc/adding-asm-prototypes.h-for-genksyms-to-generate-crc.patch delete mode 100644 debian/patches/bugfix/sparc/sed-regex-in-makefile.build-requires-line-break-betw.patch diff --git a/debian/changelog b/debian/changelog index b7024ff97..3f897ffe2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,5 +1,12 @@ -linux (4.12.2-1~exp2) UNRELEASED; urgency=medium +linux (4.12.3-1~exp1) UNRELEASED; urgency=medium + * New upstream stable update: + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.12.3 + - [sparc64] Adding asm-prototypes.h for genksyms to generate crc + - [sparc64] sed regex in Makefile.build requires line break between + exported symbols + + [ Ben Hutchings ] * media: Enable USB_RAINSHADOW_CEC as module (see #868511) * Clean up symbol version fixes for symbols exported from asm (fixes FTBFS on sparc64): @@ -7,9 +14,6 @@ linux (4.12.2-1~exp2) UNRELEASED; urgency=medium - [alpha] Restore symbol versions for symbols exported from assembly - [m68k] Un-revert "m68k: move exports to definitions" - [sparc64] Un-revert "sparc: move exports to definitions" - - [sparc64] Adding asm-prototypes.h for genksyms to generate crc - - [sparc64] sed regex in Makefile.build requires line break between - exported symbols * [mips*/octeon] Fix broken EDAC driver (fixes FTBFS) * [armhf] Revert "gpu: host1x: Add IOMMU support" * [armhf] udeb: Replace imx-ipuv3-crtc with imxdrm in fb-modules diff --git a/debian/patches/bugfix/all/binfmt_elf-use-elf_et_dyn_base-only-for-pie.patch b/debian/patches/bugfix/all/binfmt_elf-use-elf_et_dyn_base-only-for-pie.patch deleted file mode 100644 index b2a0f5a1e..000000000 --- a/debian/patches/bugfix/all/binfmt_elf-use-elf_et_dyn_base-only-for-pie.patch +++ /dev/null @@ -1,167 +0,0 @@ -From: Kees Cook -Date: Mon, 10 Jul 2017 15:52:37 -0700 -Subject: binfmt_elf: use ELF_ET_DYN_BASE only for PIE -Origin: https://git.kernel.org/linus/eab09532d40090698b05a07c1c87f39fdbc5fab5 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000370 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000371 - -The ELF_ET_DYN_BASE position was originally intended to keep loaders -away from ET_EXEC binaries. (For example, running "/lib/ld-linux.so.2 -/bin/cat" might cause the subsequent load of /bin/cat into where the -loader had been loaded.) - -With the advent of PIE (ET_DYN binaries with an INTERP Program Header), -ELF_ET_DYN_BASE continued to be used since the kernel was only looking -at ET_DYN. However, since ELF_ET_DYN_BASE is traditionally set at the -top 1/3rd of the TASK_SIZE, a substantial portion of the address space -is unused. - -For 32-bit tasks when RLIMIT_STACK is set to RLIM_INFINITY, programs are -loaded above the mmap region. This means they can be made to collide -(CVE-2017-1000370) or nearly collide (CVE-2017-1000371) with -pathological stack regions. - -Lowering ELF_ET_DYN_BASE solves both by moving programs below the mmap -region in all cases, and will now additionally avoid programs falling -back to the mmap region by enforcing MAP_FIXED for program loads (i.e. -if it would have collided with the stack, now it will fail to load -instead of falling back to the mmap region). - -To allow for a lower ELF_ET_DYN_BASE, loaders (ET_DYN without INTERP) -are loaded into the mmap region, leaving space available for either an -ET_EXEC binary with a fixed location or PIE being loaded into mmap by -the loader. Only PIE programs are loaded offset from ELF_ET_DYN_BASE, -which means architectures can now safely lower their values without risk -of loaders colliding with their subsequently loaded programs. - -For 64-bit, ELF_ET_DYN_BASE is best set to 4GB to allow runtimes to use -the entire 32-bit address space for 32-bit pointers. - -Thanks to PaX Team, Daniel Micay, and Rik van Riel for inspiration and -suggestions on how to implement this solution. - -Fixes: d1fd836dcf00 ("mm: split ET_DYN ASLR from mmap ASLR") -Link: http://lkml.kernel.org/r/20170621173201.GA114489@beast -Signed-off-by: Kees Cook -Acked-by: Rik van Riel -Cc: Daniel Micay -Cc: Qualys Security Advisory -Cc: Thomas Gleixner -Cc: Ingo Molnar -Cc: "H. Peter Anvin" -Cc: Alexander Viro -Cc: Dmitry Safonov -Cc: Andy Lutomirski -Cc: Grzegorz Andrejczuk -Cc: Masahiro Yamada -Cc: Benjamin Herrenschmidt -Cc: Catalin Marinas -Cc: Heiko Carstens -Cc: James Hogan -Cc: Martin Schwidefsky -Cc: Michael Ellerman -Cc: Paul Mackerras -Cc: Pratyush Anand -Cc: Russell King -Cc: Will Deacon -Cc: -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds ---- - arch/x86/include/asm/elf.h | 13 +++++----- - fs/binfmt_elf.c | 59 +++++++++++++++++++++++++++++++++++++++------- - 2 files changed, 58 insertions(+), 14 deletions(-) - ---- a/arch/x86/include/asm/elf.h -+++ b/arch/x86/include/asm/elf.h -@@ -246,12 +246,13 @@ extern int force_personality32; - #define CORE_DUMP_USE_REGSET - #define ELF_EXEC_PAGESIZE 4096 - --/* This is the location that an ET_DYN program is loaded if exec'ed. Typical -- use of this is to invoke "./ld.so someprog" to test out a new version of -- the loader. We need to make sure that it is out of the way of the program -- that it will "exec", and that there is sufficient room for the brk. */ -- --#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2) -+/* -+ * This is the base location for PIE (ET_DYN with INTERP) loads. On -+ * 64-bit, this is raised to 4GB to leave the entire 32-bit address -+ * space open for things that want to use the area for 32-bit pointers. -+ */ -+#define ELF_ET_DYN_BASE (mmap_is_ia32() ? 0x000400000UL : \ -+ 0x100000000UL) - - /* This yields a mask that user programs can use to figure out what - instruction set this CPU supports. This could be done in user space, ---- a/fs/binfmt_elf.c -+++ b/fs/binfmt_elf.c -@@ -927,17 +927,60 @@ static int load_elf_binary(struct linux_ - elf_flags = MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE; - - vaddr = elf_ppnt->p_vaddr; -+ /* -+ * If we are loading ET_EXEC or we have already performed -+ * the ET_DYN load_addr calculations, proceed normally. -+ */ - if (loc->elf_ex.e_type == ET_EXEC || load_addr_set) { - elf_flags |= MAP_FIXED; - } else if (loc->elf_ex.e_type == ET_DYN) { -- /* Try and get dynamic programs out of the way of the -- * default mmap base, as well as whatever program they -- * might try to exec. This is because the brk will -- * follow the loader, and is not movable. */ -- load_bias = ELF_ET_DYN_BASE - vaddr; -- if (current->flags & PF_RANDOMIZE) -- load_bias += arch_mmap_rnd(); -- load_bias = ELF_PAGESTART(load_bias); -+ /* -+ * This logic is run once for the first LOAD Program -+ * Header for ET_DYN binaries to calculate the -+ * randomization (load_bias) for all the LOAD -+ * Program Headers, and to calculate the entire -+ * size of the ELF mapping (total_size). (Note that -+ * load_addr_set is set to true later once the -+ * initial mapping is performed.) -+ * -+ * There are effectively two types of ET_DYN -+ * binaries: programs (i.e. PIE: ET_DYN with INTERP) -+ * and loaders (ET_DYN without INTERP, since they -+ * _are_ the ELF interpreter). The loaders must -+ * be loaded away from programs since the program -+ * may otherwise collide with the loader (especially -+ * for ET_EXEC which does not have a randomized -+ * position). For example to handle invocations of -+ * "./ld.so someprog" to test out a new version of -+ * the loader, the subsequent program that the -+ * loader loads must avoid the loader itself, so -+ * they cannot share the same load range. Sufficient -+ * room for the brk must be allocated with the -+ * loader as well, since brk must be available with -+ * the loader. -+ * -+ * Therefore, programs are loaded offset from -+ * ELF_ET_DYN_BASE and loaders are loaded into the -+ * independently randomized mmap region (0 load_bias -+ * without MAP_FIXED). -+ */ -+ if (elf_interpreter) { -+ load_bias = ELF_ET_DYN_BASE; -+ if (current->flags & PF_RANDOMIZE) -+ load_bias += arch_mmap_rnd(); -+ elf_flags |= MAP_FIXED; -+ } else -+ load_bias = 0; -+ -+ /* -+ * Since load_bias is used for all subsequent loading -+ * calculations, we must lower it by the first vaddr -+ * so that the remaining calculations based on the -+ * ELF vaddrs will be correctly offset. The result -+ * is then page aligned. -+ */ -+ load_bias = ELF_PAGESTART(load_bias - vaddr); -+ - total_size = total_mapping_size(elf_phdata, - loc->elf_ex.e_phnum); - if (!total_size) { diff --git a/debian/patches/bugfix/sparc/adding-asm-prototypes.h-for-genksyms-to-generate-crc.patch b/debian/patches/bugfix/sparc/adding-asm-prototypes.h-for-genksyms-to-generate-crc.patch deleted file mode 100644 index 065f0a2a3..000000000 --- a/debian/patches/bugfix/sparc/adding-asm-prototypes.h-for-genksyms-to-generate-crc.patch +++ /dev/null @@ -1,47 +0,0 @@ -From: Nagarathnam Muthusamy -Date: Mon, 19 Jun 2017 13:08:48 -0400 -Subject: Adding asm-prototypes.h for genksyms to generate crc -Origin: https://git.kernel.org/linus/bdca8cc096203b17ad0ac4e19f50578207e054d2 - -This patch adds the prototypes of assembly defined functions to asm-prototypes.h. -Some prototypes are directly added as they are not present in any existing header -files. - -Signed-off-by: Nagarathnam Muthusamy -Reviewed-by: Babu Moger -Signed-off-by: David S. Miller ---- - arch/sparc/include/asm/asm-prototypes.h | 24 ++++++++++++++++++++++++ - 1 file changed, 24 insertions(+) - create mode 100644 arch/sparc/include/asm/asm-prototypes.h - -diff --git a/arch/sparc/include/asm/asm-prototypes.h b/arch/sparc/include/asm/asm-prototypes.h -new file mode 100644 -index 000000000000..d381e11c5dbb ---- /dev/null -+++ b/arch/sparc/include/asm/asm-prototypes.h -@@ -0,0 +1,24 @@ -+/* -+ * Copyright (c) 2017 Oracle and/or its affiliates. All rights reserved. -+ */ -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+void *__memscan_zero(void *, size_t); -+void *__memscan_generic(void *, int, size_t); -+void *__bzero(void *, size_t); -+void VISenter(void); /* Dummy prototype to supress warning */ -+#undef memcpy -+#undef memset -+void *memcpy(void *dest, const void *src, size_t n); -+void *memset(void *s, int c, size_t n); -+typedef int TItype __attribute__((mode(TI))); -+TItype __multi3(TItype a, TItype b); diff --git a/debian/patches/bugfix/sparc/sed-regex-in-makefile.build-requires-line-break-betw.patch b/debian/patches/bugfix/sparc/sed-regex-in-makefile.build-requires-line-break-betw.patch deleted file mode 100644 index 38b68eddc..000000000 --- a/debian/patches/bugfix/sparc/sed-regex-in-makefile.build-requires-line-break-betw.patch +++ /dev/null @@ -1,92 +0,0 @@ -From: Nagarathnam Muthusamy -Date: Mon, 19 Jun 2017 13:08:49 -0400 -Subject: sed regex in Makefile.build requires line break between exported - symbols -Origin: https://git.kernel.org/linus/d16c0649feb4fe4e814f44803df5a617769c3233 - -The following regex in Makefile.build matches only one ___EXPORT_SYMBOL per line. - -sed -'s/.*___EXPORT_SYMBOL[[:space:]]*\([a-zA-Z0-9_]*\)[[:space:]]*,.*/EXPORT_SYMBOL(\1);/' - -ATOMIC_OPS macro in atomic_64.S expands multiple symbols in same line hence -version generation is done only for the last matched symbol. This patch adds -new line between the symbol expansions. - -Signed-off-by: Nagarathnam Muthusamy -Reviewed-by: Babu Moger -Signed-off-by: David S. Miller ---- - arch/sparc/lib/atomic_64.S | 44 ++++++++++++++++++++++++++------------------ - 1 file changed, 26 insertions(+), 18 deletions(-) - -diff --git a/arch/sparc/lib/atomic_64.S b/arch/sparc/lib/atomic_64.S -index 1c6a1bde5138..ce17c3094ba6 100644 ---- a/arch/sparc/lib/atomic_64.S -+++ b/arch/sparc/lib/atomic_64.S -@@ -62,19 +62,23 @@ ENTRY(atomic_fetch_##op) /* %o0 = increment, %o1 = atomic_ptr */ \ - ENDPROC(atomic_fetch_##op); \ - EXPORT_SYMBOL(atomic_fetch_##op); - --#define ATOMIC_OPS(op) ATOMIC_OP(op) ATOMIC_OP_RETURN(op) ATOMIC_FETCH_OP(op) -+ATOMIC_OP(add) -+ATOMIC_OP_RETURN(add) -+ATOMIC_FETCH_OP(add) - --ATOMIC_OPS(add) --ATOMIC_OPS(sub) -+ATOMIC_OP(sub) -+ATOMIC_OP_RETURN(sub) -+ATOMIC_FETCH_OP(sub) - --#undef ATOMIC_OPS --#define ATOMIC_OPS(op) ATOMIC_OP(op) ATOMIC_FETCH_OP(op) -+ATOMIC_OP(and) -+ATOMIC_FETCH_OP(and) - --ATOMIC_OPS(and) --ATOMIC_OPS(or) --ATOMIC_OPS(xor) -+ATOMIC_OP(or) -+ATOMIC_FETCH_OP(or) -+ -+ATOMIC_OP(xor) -+ATOMIC_FETCH_OP(xor) - --#undef ATOMIC_OPS - #undef ATOMIC_FETCH_OP - #undef ATOMIC_OP_RETURN - #undef ATOMIC_OP -@@ -124,19 +128,23 @@ ENTRY(atomic64_fetch_##op) /* %o0 = increment, %o1 = atomic_ptr */ \ - ENDPROC(atomic64_fetch_##op); \ - EXPORT_SYMBOL(atomic64_fetch_##op); - --#define ATOMIC64_OPS(op) ATOMIC64_OP(op) ATOMIC64_OP_RETURN(op) ATOMIC64_FETCH_OP(op) -+ATOMIC64_OP(add) -+ATOMIC64_OP_RETURN(add) -+ATOMIC64_FETCH_OP(add) -+ -+ATOMIC64_OP(sub) -+ATOMIC64_OP_RETURN(sub) -+ATOMIC64_FETCH_OP(sub) - --ATOMIC64_OPS(add) --ATOMIC64_OPS(sub) -+ATOMIC64_OP(and) -+ATOMIC64_FETCH_OP(and) - --#undef ATOMIC64_OPS --#define ATOMIC64_OPS(op) ATOMIC64_OP(op) ATOMIC64_FETCH_OP(op) -+ATOMIC64_OP(or) -+ATOMIC64_FETCH_OP(or) - --ATOMIC64_OPS(and) --ATOMIC64_OPS(or) --ATOMIC64_OPS(xor) -+ATOMIC64_OP(xor) -+ATOMIC64_FETCH_OP(xor) - --#undef ATOMIC64_OPS - #undef ATOMIC64_FETCH_OP - #undef ATOMIC64_OP_RETURN - #undef ATOMIC64_OP diff --git a/debian/patches/series b/debian/patches/series index b9c3bcd87..1073b33aa 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -117,11 +117,8 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch -bugfix/all/binfmt_elf-use-elf_et_dyn_base-only-for-pie.patch # Fix exported symbol versions -bugfix/sparc/adding-asm-prototypes.h-for-genksyms-to-generate-crc.patch -bugfix/sparc/sed-regex-in-makefile.build-requires-line-break-betw.patch bugfix/alpha/alpha-restore-symbol-versions-for-symbols-exported-f.patch bugfix/all/module-disable-matching-missing-version-crc.patch